[CentOS-devel] Help Clair Support CentOS

Fri Apr 9 15:53:58 UTC 2021
Johnny Hughes <johnny at centos.org>

On 4/9/21 10:27 AM, Louis DeLosSantos wrote:
> Hello,
> 
> My name is Louis and I'm the core maintainer of Clar:
> https://github.com/quay/clair <https://github.com/quay/clair>
> 
> Clair is a project for scanning containers for vulnerabilities.
> 
> We'd like to support CentOS but we need a little help in the form of
> information gathering.
> 
> For Clair to properly support a distribution we typically require it to
> have an official upstream vulnerability database. For example, RHEL has
> their own Oval 2 feeds as does
> Ubuntu, Suse, etc...
> 
> What we are trying to determine is how we can extract packages from
> CentOS containers and match against known vulnerabilities.
> 
> We have the first half worked out already, we have generic RPM database
> scanners which extract package names and versions.
> 
> The second half is where we need some more information.
> 
> A few questions:
> * Does CentOS maintain its own security database for packages in its
> downstream repositories ?
> * If not, can we reliably treat any CentOS packages (name, versions)
> identical to the way we treat RHEL packages. (For instance if we find
> package A with version B can we attempt to match this against RHEL's
> Oval v2 stream?)
> * Can you provide any information on package naming, versioning, and
> packaging that creates a difference between RHEL packages and CentOS?
> 
> Thank you for your time, I look forward to hearing back.
> 

CentOS 8 Linux is going EOL in 7 months .. I would not recommend doing
anything for that WRT security info.

CentOS 8 Stream will not have the exact versions from RHEL .. it will be
slightly ahead of released RHEL (it will the the source code which will
become the NEXT point release of RHEL .. usually between 1 and 6 months
ahead of the current RHEL).

CentOS 7 Linux is a direct rebuild of release RHEL 7 source code.
However, neither the CentOS Project or Red Hat provide any assurance
that CentOS has or fixes ANY security issues.  We have never tested for
any, and we never will.  CentOS Linux 7 is just built source code that
users decide either meets or does not meet their requirements.

We announce CentOS 7 Linux updates here:
https://lists.centos.org/pipermail/centos-announce/

That lists our shasums .. and a link to what Red Hat said the update was
for .. BUT .. the CentOS Project does not do any validations or make any
claims about the software other than we built and released the packages.
We also make it easier for users to look at what the update is said to
have fixed. But, it is the user's responsibility to test anything they
want to test prior to use.

As to any assumptions to whether or not the same version of a RHEL and
CentOS Linux package is the same .. we make no claims on that either.
The were built, in a different closed build system, from the same source
code.  The build systems are completely different .. so the packages are
never identical.  Only an individual user can determine if this is good
enough for them to use.  Only they can determine the risk they are
willing to accept for testing they require for assurance WRT security.
The purpose of all the testing that RHEL does and the software assurance
they provide (for a cost) is why RHEL exists.  That is the only Red Hat
distribution that exists that has this assurance.